Apple 'Ban' Gives Miller Time To Hack Other Things

Charlie Miller reflects on how his NSA chops were a natural progression to Apple hacking, how hard hacking has become -- and his obsession with reality TV shows about stage moms

Charlie Miller won't be exposing any new security holes in Apple products at Black Hat USA this year. Instead, the renowned researcher will show just how dangerous it can be to pay cabfare with your mobile device, as he demonstrates vulnerabilities he discovered in emerging near-field communications (NFC) technology.

Miller, 39, is more interested in fresh meat now than hammering away at existing Apple products. Plus, he's still serving the remainder of his one-year ban from Apple's App store developer program in the wake of a research app he was able to slip past its vetting process last year, so he can't get a prerelease peek at iOS images to find new bugs in the upcoming iOS 6, anyway. "If you told me to look for a [bug in] Safari, that would be so awful. I've done that so many times. There is no thrill for me now in finding a bug in Webkit. I don't do that for fun anymore ... there's a patch and it's gone," Miller says. "I like to look at new devices."

That doesn't mean he has sworn off Apple-hacking, however. "As much as I'd like to help secure the new iOS, at present I'm not allowed to do so" due to the ban by Apple, he says. "That said, I still love their products and use them daily, so there is a good chance I'll take a close look at them again in the future."

He won't reveal any details on what he found or will demo at Black Hat later this month in Las Vegas, but Miller says he was attracted to NFC because the chip-based technology is so new and he's always on the lookout for ways to compromise mobile phones, like posing as a terminal and forcing the phone to do something. "Can I intercept your money or your credit card ... [or] take over your phone because you have this new chip [and] functionality?" he says.

The downside of his new hacking target, according to Miller, is that NFC is still so new and not yet widely deployed. "I'm ahead of the curve this time, and that's not really where I want to be," Miller says.

The mathematician-turned security researcher got his start in the security business in much the way many of his cohorts have: more by accident than by design. Miller finished school with a PhD in math from Notre Dame and was hired by the National Security Agency (NSA) as a cryptographer. He knew little about data security at the time. "I didn't really want to do cryptography. I decided I wanted to do security," says Miller, who won't discuss what he exactly he did for NSA with crypto during his time there.

He left NSA after five years when his family began to grow, and they headed back to his hometown of St. Louis, where he, his wife, and two sons, 6 and 8, currently live and Miller has a home office. But Miller had trouble landing a job right away. "No one outside NSA knew who the hell I was," he says. His first job post-NSA was at a financial services firm, and his responsibilities included writing security policies and checking password security -- work he admits was "pretty awful."

You always remember your first bug, and in Miller's case, it was two bugs he found in his then-employer's Web applications. "One allowed you get a channel on their Web server, and another elevated privileges," he recalls. "I chained them together to exploit their own Web server and showed it to them."

The firm's head of development at first didn't understand what exactly Miller had uncovered. "He had no idea what I was talking about," Miller says. "But I got them to fix it" in the end, he says.

These days Miller enjoys the freedom of plying his self-taught hacking craft both on the job for clients and also on the side for his own research interests. Miller, who joined Accuvant last year as principal research consultant after several years with Independent Security Evaluators, first made a name for himself in security with his Apple hacking skills, which he says were actually a natural outgrowth of his NSA background. "Coming out of NSA, I knew a lot about Linux and not much about Windows. OS X was a natural thing [for me] because it's Linux-like enough so I knew how it worked. Then the iPhone came along, and that was basically like OS X as well ... and Linux, so it was a natural place for me to be," he says.

He scored big in the Pwn2Own hacking contest starting in 2008, when he was the first to find a major bug in the MacBook Air, and then the next year, in hacking Safari. He was among the contest winners in 2011 as well, with Apple as his target once again. But one of his more notable Apple hacks was outside Pwn2Own. It ended up being his most notorious one after Apple punished him for a stock market ticker app he created and got past Apple's app review process and into its App Store last fall. He exploited a flaw in iOS that could let an app run malicious code that ultimately allowed the attacker to silently take over the user's device, which he demonstrated in a video and reported to Apple. Apple responded by kicking him out of its developer program for a year.

Miller is most proud of the SMS texting bug in the iPhone that he found and then revealed at Black Hat USA in 2009. "It was the coolest [of my research] because it didn't require any user interaction. You send a text to take over the phone and there's nothing you can really do to protect yourself. There's no setting on your phone to stop text messages, and even if you turn off the phone, it sends the attack to you," he says.

But hacking isn't the same as when Miller first started out. Vulnerabilities were being dropped publicly in droves, and by all levels of hackers. The evolution in software security over the past few years has made bugs fewer and harder to find -- and exploiting the ones you do find is even harder, Miller says. "It's really hard" now, he says. "It takes me [about] two weeks now to find a bug. You don't see guys like me doing that anymore: It's not worth the time."

Exploiting vulnerabilities is more difficult now thanks to anti-exploit technologies, such as sandboxing, he says. "Now when a researcher finds vulnerabilities that have exploits, they don't want to give them away for free. You're giving away a month of your time."

It's the sophisticated attackers who are bypassing security that worry Miller. "Probably the thing that scares me most is sophisticated attackers still win," he says. "Ever since Stuxnet -- oh, man, they did everything right and still got killed. That's a scary thing. You have all of your security software, isolated networks, everything in place, and someone rolls in with 0days and takes you over ... If they can get on an Iranian nuclear site that's not connected and is fully patched, then no one is safe."

Personality Bytes

Worst day ever at work: I was brought in on-site to see why this company's Web server kept going down. I was there a couple of days and couldn't figure it out -- it'd just reboot once in a while. On my way to the airport, I got a call from the CEO, who told me that they figured out one of the members of the IT staff had been pulling the power cord when nobody was looking. Doh!

What your co-workers don't know about you that would surprise them: I watch "Dance Moms" and "Toddlers & Tiaras" every chance I get.

Favorite team: Notre Dame football, of course. Actually, for a computer guy, I'm a bit of a sports nut. I once applied for a job at Electronic Arts, and I couldn't convince them I liked sports -- they thought I was lying to get the job.

Favorite hangout: I almost never leave my house. I guess my favorite hangout is my home office. I'm pathetic.

In his music player right now: Some Pete Yorn, various '80s music, and some techno stuff.

Miller's security must-haves: I always choose usability over security, so I don't really have any security must-haves, but one program I do use is MoxierWallet to manage my passwords.

Business hours: 8 a.m. until 4 p.m. every day, and a little at night. I have kids who get up at 6 a.m. whether I'm up or not. My best work is really early in the morning.

Actor who would play him in a film: Bruce Willis is old and bald, but probably too good-looking. Michael Cera is nerdy-looking, but too young. So I'm thinking Tony Hale from "Arrested Development" fame.

Next career: I'd like to throw my big data skills at something like cancer research.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

I still can't believe Apple banned him like that. It's a classic example of how they seem to approach security: shoot the bearer of bad tidings, stick your fingers in your ears and scream "LALALA" and then tell all the fanboys that everything is swell.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.